From: Mimi Zohar <zohar@linux.ibm.com>
To: Jarkko Sakkinen <jarkko@kernel.org>,
Eric Snowberg <eric.snowberg@oracle.com>
Cc: David Howells <dhowells@redhat.com>,
"dwmw2@infradead.org" <dwmw2@infradead.org>,
"ardb@kernel.org" <ardb@kernel.org>,
"jmorris@namei.org" <jmorris@namei.org>,
"serge@hallyn.com" <serge@hallyn.com>,
"nayna@linux.ibm.com" <nayna@linux.ibm.com>,
"keescook@chromium.org" <keescook@chromium.org>,
"torvalds@linux-foundation.org" <torvalds@linux-foundation.org>,
"weiyongjun1@huawei.com" <weiyongjun1@huawei.com>,
"keyrings@vger.kernel.org" <keyrings@vger.kernel.org>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
"linux-efi@vger.kernel.org" <linux-efi@vger.kernel.org>,
"linux-security-module@vger.kernel.org"
<linux-security-module@vger.kernel.org>,
"James.Bottomley@hansenpartnership.com"
<James.Bottomley@hansenpartnership.com>,
"pjones@redhat.com" <pjones@redhat.com>,
Konrad Wilk <konrad.wilk@oracle.com>
Subject: Re: [PATCH v9 2/8] integrity: Introduce a Linux keyring called machine
Date: Sat, 15 Jan 2022 21:55:47 -0500 [thread overview]
Message-ID: <f8598ca4e51e0b98aa98a1386c6f40bd04acdf15.camel@linux.ibm.com> (raw)
In-Reply-To: <YeMdY+FLM32tmRMz@iki.fi>
On Sat, 2022-01-15 at 21:15 +0200, Jarkko Sakkinen wrote:
> On Sat, Jan 15, 2022 at 09:14:45PM +0200, Jarkko Sakkinen wrote:
> > On Sat, Jan 15, 2022 at 07:12:35PM +0000, Eric Snowberg wrote:
> > >
> > >
> > > > On Jan 15, 2022, at 10:11 AM, Jarkko Sakkinen <jarkko@kernel.org> wrote:
> > > >
> > > > On Wed, Jan 12, 2022 at 02:41:47PM -0500, Mimi Zohar wrote:
> > > >> On Tue, 2022-01-11 at 20:14 -0500, Mimi Zohar wrote:
> > > >>> On Tue, 2022-01-11 at 21:26 +0000, Eric Snowberg wrote:
> > > >>>>
> > > >>>>> On Jan 11, 2022, at 11:16 AM, Mimi Zohar <zohar@linux.ibm.com> wrote:
> > > >>>>>
> > > >>>>> On Mon, 2022-01-10 at 23:25 +0000, Eric Snowberg wrote:
> > > >>>>>>> Jarkko, my concern is that once this version of the patch set is
> > > >>>>>>> upstreamed, would limiting which keys may be loaded onto the .machine
> > > >>>>>>> keyring be considered a regression?
> > > >>>>>>
> > > >>>>>>
> > > >>>>>> Currently certificates built into the kernel do not have a CA restriction on them.
> > > >>>>>> IMA will trust anything in this keyring even if the CA bit is not set. While it would
> > > >>>>>> be advisable for a kernel to be built with a CA, nothing currently enforces it.
> > > >>>>>>
> > > >>>>>> My thinking for the dropped CA restriction patches was to introduce a new Kconfig.
> > > >>>>>> This Kconfig would do the CA enforcement on the machine keyring. However if the
> > > >>>>>> Kconfig option was not set for enforcement, it would work as it does in this series,
> > > >>>>>> plus it would allow IMA to work with non-CA keys. This would be done by removing
> > > >>>>>> the restriction placed in this patch. Let me know your thoughts on whether this would
> > > >>>>>> be an appropriate solution. I believe this would get around what you are identifying as
> > > >>>>>> a possible regression.
> > > >>>>>
> > > >>>>> True the problem currently exists with the builtin keys, but there's a
> > > >>>>> major difference between trusting the builtin keys and those being
> > > >>>>> loading via MOK. This is an integrity gap that needs to be closed and
> > > >>>>> shouldn't be expanded to keys on the .machine keyring.
> > > >>>>>
> > > >>>>> "plus it would allow IMA to work with non-CA keys" is unacceptable.
> > > >>>>
> > > >>>> Ok, I’ll leave that part out. Could you clarify the wording I should include in the future
> > > >>>> cover letter, which adds IMA support, on why it is unacceptable for the end-user to
> > > >>>> make this decision?
> > > >>>
> > > >>> The Kconfig IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY
> > > >>> "help" is very clear:
> > > >>
> > > >> [Reposting the text due to email formatting issues.]
> > > >>
> > > >> help
> > > >> Keys may be added to the IMA or IMA blacklist keyrings, if the
> > > >> key is validly signed by a CA cert in the system built-in or
> > > >> secondary trusted keyrings.
> > > >>
> > > >> Intermediate keys between those the kernel has compiled in and the
> > > >> IMA keys to be added may be added to the system secondary keyring,
> > > >> provided they are validly signed by a key already resident in the
> > > >> built-in or secondary trusted keyrings.
> > > >>
> > > >>
> > > >> The first paragraph requires "validly signed by a CA cert in the system
> > > >> built-in or secondary trusted keyrings" for keys to be loaded onto the
> > > >> IMA keyring. This Kconfig is limited to just the builtin and secondary
> > > >> keyrings. Changing this silently to include the ".machine" keyring
> > > >> introduces integrity risks that previously did not exist. A new IMA
> > > >> Kconfig needs to be defined to allow all three keyrings - builtin,
> > > >> machine, and secondary.
> > > >>
> > > >> The second paragraph implies that only CA and intermediate CA keys are
> > > >> on secondary keyring, or as in our case the ".machine" keyring linked
> > > >> to the secondary keyring.
> > > >>
> > > >> Mimi
> > > >>
> > > > I have also now test environment for this patch set but if there are
> > > > any possible changes, I'm waiting for a new version, as it is anyway
> > > > for 5.18 cycle earliest.
> > >
> > > Other than the two sentence changes, I have not seen anything identified
> > > code wise requiring a change. If you’d like me to respin a v10 with the sentence
> > > changes let me know. Or if you want to remove the ima reference, that works
> > > too. Just let me know how you want to handle this. Thanks.
> >
> > I'm basically waiting also Mimi to test this as I do not have IMA test
> > environment.
> >
> > From my side:
> >
> > Tested-by: Jarkko Sakkinen <jarkko@kernel.org>
>
> I can pick the whole thing at the time when I get green light.
The MOK keys are not loaded onto the .machine keyring if
CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY is enabled.
From an IMA perspective nothing has changed.
After the IMA references in the patch descriptions are removed, feel
free to add Tested-by: Mimi Zohar <zohar@linux.ibm.com> on patches 1 -
5.
thanks,
Mimi
next prev parent reply other threads:[~2022-01-16 2:56 UTC|newest]
Thread overview: 36+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-01-05 23:50 [PATCH v9 0/8] Enroll kernel keys thru MOK Eric Snowberg
2022-01-05 23:50 ` [PATCH v9 1/8] integrity: Fix warning about missing prototypes Eric Snowberg
2022-01-08 16:25 ` Jarkko Sakkinen
2022-01-05 23:50 ` [PATCH v9 2/8] integrity: Introduce a Linux keyring called machine Eric Snowberg
2022-01-09 21:57 ` Mimi Zohar
2022-01-10 23:25 ` Eric Snowberg
2022-01-11 18:16 ` Mimi Zohar
2022-01-11 21:26 ` Eric Snowberg
2022-01-12 1:14 ` Mimi Zohar
2022-01-12 19:41 ` Mimi Zohar
2022-01-12 23:00 ` Eric Snowberg
2022-01-12 19:41 ` Mimi Zohar
2022-01-15 17:11 ` Jarkko Sakkinen
2022-01-15 19:12 ` Eric Snowberg
2022-01-15 19:14 ` Jarkko Sakkinen
2022-01-15 19:15 ` Jarkko Sakkinen
2022-01-16 2:55 ` Mimi Zohar [this message]
2022-01-16 20:10 ` Jarkko Sakkinen
2022-01-18 16:32 ` Eric Snowberg
2022-01-05 23:50 ` [PATCH v9 3/8] integrity: add new keyring handler for mok keys Eric Snowberg
2022-01-08 22:21 ` Jarkko Sakkinen
2022-01-05 23:50 ` [PATCH v9 4/8] KEYS: store reference to machine keyring Eric Snowberg
2022-01-08 22:22 ` Jarkko Sakkinen
2022-01-05 23:50 ` [PATCH v9 5/8] KEYS: Introduce link restriction for machine keys Eric Snowberg
2022-01-08 22:25 ` Jarkko Sakkinen
2022-01-09 22:42 ` Mimi Zohar
2022-01-10 23:36 ` Eric Snowberg
2022-01-05 23:50 ` [PATCH v9 6/8] efi/mokvar: move up init order Eric Snowberg
2022-01-08 22:27 ` Jarkko Sakkinen
2022-01-05 23:50 ` [PATCH v9 7/8] integrity: Trust MOK keys if MokListTrustedRT found Eric Snowberg
2022-01-08 22:28 ` Jarkko Sakkinen
2022-01-05 23:50 ` [PATCH v9 8/8] integrity: Only use machine keyring when uefi_check_trust_mok_keys is true Eric Snowberg
2022-01-08 22:30 ` Jarkko Sakkinen
2022-01-09 1:47 ` Mimi Zohar
2022-01-10 0:12 ` Mimi Zohar
2022-01-11 2:26 ` Jarkko Sakkinen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=f8598ca4e51e0b98aa98a1386c6f40bd04acdf15.camel@linux.ibm.com \
--to=zohar@linux.ibm.com \
--cc=James.Bottomley@hansenpartnership.com \
--cc=ardb@kernel.org \
--cc=dhowells@redhat.com \
--cc=dwmw2@infradead.org \
--cc=eric.snowberg@oracle.com \
--cc=jarkko@kernel.org \
--cc=jmorris@namei.org \
--cc=keescook@chromium.org \
--cc=keyrings@vger.kernel.org \
--cc=konrad.wilk@oracle.com \
--cc=linux-efi@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=nayna@linux.ibm.com \
--cc=pjones@redhat.com \
--cc=serge@hallyn.com \
--cc=torvalds@linux-foundation.org \
--cc=weiyongjun1@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).